db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-5748) Native user authentication: SYSCS_UTIL.SYSCS_MODIFY_PASSWORD accepts old password
Date Mon, 07 May 2012 13:34:57 GMT

    [ https://issues.apache.org/jira/browse/DERBY-5748?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13269605#comment-13269605

Rick Hillegas commented on DERBY-5748:

Password vetters often prevent you from re-using any previous password, not just the current
one. This would involve maintaining an audit history. I agree that password strength checking
would be useful too. For the moment, applications will have to perform these services themselves.
> Native user authentication: SYSCS_UTIL.SYSCS_MODIFY_PASSWORD accepts old password
> ---------------------------------------------------------------------------------
>                 Key: DERBY-5748
>                 URL: https://issues.apache.org/jira/browse/DERBY-5748
>             Project: Derby
>          Issue Type: Improvement
>          Components: Services
>    Affects Versions:
>            Reporter: Dag H. Wanvik
> Modifying the password to the same as the old one will reset the timeout specified in
> This means that a lazy user can subvert the security policy embodied in the timeout.
It would be an improvement to require a different one.
> Of course, we don't currently have any password strength checking either, so it may not
be worth just implementing this change without making some configurable strength checking

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message